In many cases, the particular SQL statements that an
application has to execute are known at the time the application
is written. In some cases, however, the SQL statements are
composed at run time or provided by an external source. In these
cases you cannot embed the SQL statements directly into the C
source code, but there is a facility that allows you to call
arbitrary SQL statements that you provide in a string
variable.

EXECUTE IMMEDIATE can be used for
SQL statements that do not return a result set (e.g., DDL,
INSERT, UPDATE, DELETE). You
cannot execute statements that retrieve data (e.g., SELECT) this way. The next section describes how
to do that.

A more powerful way to execute arbitrary SQL statements is
to prepare them once and execute the prepared statement as
often as you like. It is also possible to prepare a generalized
version of a statement and then execute specific versions of it
by substituting parameters. When preparing the statement, write
question marks where you want to substitute parameters later.
For example: